Back in 2010, Auernheimer and his partner Daniel Spitler, part of a team calling itself Goatse Security, hacked into a public server owned by AT&T. That server housed hundreds of thousands of email addresses of customers who owned 3G iPads. Through trial and error and some ingenuity, group members discovered they could randomly guess iPad identification numbers and then use them to extract matching email addresses from that server.

AT&T's Security Loophole, Exposed

This security loophole on AT&T's site returned email addresses associated with ICC IDs, the unique serial numbers used to track and link SIM cards on mobile devices with specific subscribers. A PHP script that automated the process ended up harvesting a whopping 114,000 email addresses. Auernheimer then sent news of the group's work as an exclusive to Gawker.

(See also: U.S. Announces 120,000 iPad Users Had Their Data Stolen)

A day later in a blog post on the Goatse Security site, Auernheimer and company wrote:

I want to summarize this explicitly:

• All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration.
• The dataset was not disclosed until we verified the problem was fixed by the vendor.
• The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.

[...]

We did this to help you.

By its own account, AT&T responded with "swift action" to prevent additional intrusions: 

Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

Problem solved, right? Wrong. A week later Auernheimer was arrested after the FBI raided his house. He was then charged with major computer crimes under the Computer Fraud and Abuse Act (CFAA), the same legal club prosecutors have used to go after Aaron Swartz and, last week, Reuters social editor Matthew Keys.

(See also: Reuters Social Editor Indicted Over Anonymous Hack; Internet's Jaw Drops)

During the trial, AT&T admitted the server was publicly accessible, yet claimed Auernheimer's access was unauthorized. Under the CFAA, unauthorized access is a crime. But the statute's ambiguity on that score has opened the door for egregious prosecutorial overreach in this and other cases.

On Nov. 20, 2012, a jury found Auernheimer guilty of one count each of identity theft and conspiracy to violate the CFAA. Today, Auernheimer was sentenced.

Fair Or Fanning The Flames?

Supporters of Auernheimer say what he did was not a crime. Maybe it wasn't smart to expose a major vulnerability at AT&T and then rub the company's nose, but stupidity shouldn't be a federal offense. Friends and colleagues point out that the point of hacking is to gain something from it — and in this case, there was no money involved and nothing else to gain but besides a measure of celebrity.

Australian journalist and hacktivist Asher Wolf wrote a poignant piece today arguing that's it's insane to publicly tar and feather someone who spurred a company to fix a problem, even if he didn't choose the most orthodox means of doing it:

Putting Weev behind bars is pointless and tragic. Jailing the most outspoken men and women amongst our generation won’t stop the leaks, the hacks, the news revelations, the whistleblowers — and most of all it won’t stop the rage of the malcontent, dispossessed youth from eventually tumbling down upon the heads of the bureaucrats who sold us out and then tried to lock us up when we complained.

Bees To Honey

AT&T's vulnerability was basically low hanging fruit — just too easy a target for hackers to ignore. But the question of whether AT&T was asking for it is more complicated.

Sure, poor security is asking for trouble. But playing with fire will get you burned no matter how righteous and ethical you claim to be. "Our conduct doesn't happen in a vacuum," hacker Adrian Lamo — the guy who allegedly dropped a dime on Bradley Manning — wrote on Twitter today. "I don't think 3+ years is warranted for Weev, but in totality of circumstances, it's understandable."

I respect weev's reasons and even his means for their ethical consistency. But he got exactly what he planned to. He owns his outcome.

— Adrian Lamo (@6) March 18, 2013

Still, this is significant time for essentially not hurting anyone, as the British journalist Laurie Penny pointed out. By comparison, the Steubenville rapists were sentenced to just one year in juvenile jail.

Note that @rabite just got sent down for 3.5 years for computer violations. That's 1.5 years longer than the #steubenville rapists #freeweev

— Laurie Penny (@PennyRed) March 18, 2013

This isn't over. Auernheimer is appealing his conviction. And either another example will be made to hackers everywhere, or the sentence will be reduced.

At the end of the day, Weev and co. were nicer to AT&T than, say, hacker HD Moore — who published unpatched iPhone flaws and exposed another big bug in Apple's WiFi — was to Apple. But that doesn't seem to matter much in the boardrooms and courtrooms of America. In their view, all hackers are criminals.

Even many mainstream journalists think all hacking is a crime. Last night on 60 Minutes, for instance, Lara Logan basically accused Jack Dorsey's early work of bordering on just that. And even with the best of intentions, hackers' attempts to route around the system will likely never gain the benefit of the doubt with the public.

Instead, they'll just keep earning jail sentences, at least unless and until the courts — or Congress, though don't hold your breath — push back against prosecutorial overreach. And that, at least, will give them plenty of time to repent at leisure.

Lead image via Flickr user shane_curcuru, CC 2.0; image of Andrew Auernheimer via Wikimedia Commons

(See also In The Security World, Android Is The New Windows.)

It was a great conversation, touching on a wide variety of fascinating aspects of online and mobile security, and I wanted to share as many of them as possible.

This list seemed like the best way to do that. And while not every one of the dirty-dozen points presented here may surprise you, I can pretty much guarantee that few people will already know - or agree with - everything on the list:

1. Big Data is not new to the anti-virus industry. Turns out the anti-virus companies have been doing traffic analysis, incident sharing and code sharing for decades, Cobb claims. They just didn't call it Big Data until the term become fashionable.

2. Anti-virus companies have been practicing co-opetition since the 1980s, when they realized there was no percentage in one company being able to stop one virus while you needed another company to stop a different virus. They quietly began sharing virus signatures and other information, Cobb says.

3. All the major Web browsers share information on malware sites and other threats. Chrome, Internet Explorer, Firefox and the others all share which URLs to flag, for example. That's why when NBC.com was hacked recently and started spewing malware, everybody was able to block it almost immediately.

4. One of the hardest parts of securing Big Data is knowing where the data is actually stored. In the old days, when data was collected and stored, it didn't really move much. Now, in the cloud, Cobbs says we don't really know where data is stored. Malware creators are intent on exploiting that, but what form that will take remains to be seen.

5. One reason more high-value targets haven't been hacked is that there is still so much low-hanging fruit for the bad guys to go after. According to Cobb, so far, there hasn't been much need to try and crack the hardest targets.

6. Most attacks take the form of malware or hacking. Of the hacking attacks, Cobb says, 80% go after passwords that are either non-existent, guessed or stolen.

7. Anti-virus hasn't been about matching virus signatures for years. Some people say the anti-virus model doesn't work because so much new malware is coming out all the time that anti-virus solutions can't possibly keep up. But Cobb protests that most anti-virus software is continually detecting previously unseen malware.

8. People who know what they're doing on the Internet might be able to get by with no anti-virus software. But Cobb says people are fooling themselves when they claim: "I don't run anti-virus software and I've never been hacked." "Are you really OK telling everyone you know - your mom, for instance - not to run anti-virus software?" he asks.

9. There's still an incredible amount of spam out there. You don't see it, but it's still there. It's using a a huge amount of datacenter power to block it, but it's built into the network security appliance and you don't have to deal with it.

10. The overall trend is for increasing levels of security to be compressed into the core, to become part of a standard install. That's happened to anti-spam, to firewalls and it's happening to anti-virus, too.

11. It's a lot harder to write 64-bit malware than it is to write 32-bit malware. And that could help lower the number of attacks on 64-bit systems.

12. In many ways, hacking behavior seems to have gotten better over the years - at least in the United States, Cobb says. But we are now increasingly exposed to other, more dangerous places. The globalization of the Net has caught up with us even as the value of hacking has one way up. Today, hackers aren't just messing with us, Cobb notes, they're stealing from us. And that's a big new incentive.

Four Different Choices

Within the App Store for OS X can now be found four such stacks, courtesy of BitRock's Bitnami, a free software service that enables you to install various software stacks either natively on Windows, OS X or Linux; as a virtual machine in VMware or as an Amazon Cloud instance.

Full disclosure: I've been a Bitnami fan for a long time. The stacks it offers, which include Alfresco, ownCloud and SugarCRM, are very easy to install and are perfect for fast setup when I want to review software or slap a together a website.

The stacks offered in the App Store include Joomla, WordPress, Drupal and a generic MAMP stack (Mac, Apache, MySQL, PHP) - all popular website platforms that are installed natively on your Mac machine.

Bitnami stacks installed natively are not installed as they would be if you built the software in the stacks by scratch. Instead of code getting installed all over the place, the binaries for the stack are all placed inside one directory, completely self-contained.

A Different Kind Of Walled Garden

The Bitnami stack from the App Store, it seems, are walled off even more, according to reports from users. The App Store's sandboxing apparently makes configuring the software a little harder than it normally would be, so if you're going to do extensive development with these stacks, users are recommending you visit Bitnami and get the native installation packages from the company directly.

This is not to decry the App Store's Bitnami stacks. I pulled down the Joomla stack, installed and configured it, and was ready to work with it in minutes. I can play around with themes and extensions in Joomla to my heart's content. Best of all, there was little to no resource dragging on my system, which I sometimes experience when I run one of these stacks as a virtual machine in VMware or Parallels.

Serious developers may indeed want to pull down the images straight from Bitnami, or better yet, install one of these stacks as a full-on Amazon Machine Instance on the EC2 platform and create an eventual production version of the stack you're creating.

It's too easy not to.

Lead image courtesy of Shutterstock.

Among the more popular products to debut at last month's Consumer Electronic Show (CES) in Las Vegas, were cross-over machines, tablets and PCs designed for double-duty - to be used at home and in the office.

The shift towards BYOD (Bring Your Own Device) into the enterprise is unstoppable. Employees are happier - and more productive - when they're able to use their computers. Unfortunately, computers that travel from location to location (often left in places where they can be stolen) can be an easy vehicle for hackers to get into corporate networks. 

Only The Paranoid Survive

Like many industry innovations, BYOD offers as much opportunity for wily cyber-thieves as it does for corporate efficiency. Unless enterprises ratchet up their level of vigilance, 2013 is poised to become the most destructive year on record. That will play out in four main areas:

1. Mobile. Experts warn 2013 will be a banner year for mobile malware. Smartphones and tablets running Google's Android  operating system will hardest hit because of both its openness and the relative ease of adding apps. Historically, Windows machines presented the one target too big for hackers to ignore, and attacks on Windows PCs increased three-fold last year. But this year the action will expand to Windows 8 tablets. Out-of-the-box security features in Windows 8 make hacking harder. So many hackers are shifting their tactics to old-school methods like phishing and other techniques that rely on social-engineering of users instead of hacking the code itself

2. Political. Most hackers are simply greedy. But an increasing number are motivated by politics. They want to bring down organizations or businesses they deem offensive. Some of these politically motivated attacks have aims than can be more subtle than just destroying data or interrupting service. The New York Times recently discovered that Chinese hackers had penetrated their computers systems for four months, seeking information on an investigation into the wealth of a top Chinese leader and his family. The hackers eventually obtained the passwords of all Times employees, and used them to break into the PCs of 53 employees. A day later, The Wall Street Journal reported a similar attack.

3. New Gateways. HTML 5, the latest version of the HTML standard, allows users to personalize their browsing experience, and lets businesses build browser-based applications. But reducing the layers of technology between the browser and internal systems removes obstacles for would-be hackers. As businesses make greater use of popular social networking sites like Facebook and Twitter, hackers can gain access to personal data that can be used for phishing or other "social engineering" attacks. And there's also the potential for corporate networks to be infected by malware from social networking sites.

4. Hacking-as-a-Service? Believe it or not, hackers are providing suites of sophisticated tools so that even casual criminals can mount credible cyber-attacks. The availability of user-friendly hacking tools has the potential to expand the hacking universe by an order of magnitude.

Forewarned Is Forearmed

Remedies are available. Greater password security, network access restriction, firewalls, and abundant redundancies are some of the steps that can help prevent attacks. These are fixes for gaps in the system's hardware and software created by the businesses themselves because they were poorly designed or were not thoroughly tested.

The best way to thwart a would-be criminal hacker is often to hire an "ethical hacker" to design new applications and test them as well as the system as whole. It turns out that the most effective way to counter a hacker’s attacks is to provide him or her with a worthy - and human - opponent.

 Image courtesy of Shutterstock.

Jailbreaking isn't a difficult or highly technical process, but it does demand some caution. The evasi0n jailbreak tool comes with simple step-by-step instructions in its readme.txt file, but we thought a more thorough walk-through would be worthwhile, lest you accidentally delete your cherished, digitally-captured memories.  

(See Also: Why iOS 6 Jailbreaking Is Popular Enough To Break Cydia)

Note: The screenshots used in this tutorial were made on Mac OS X. For Windows and Linux, use the analogous options within iTunes.

1. Getting Ready: Download Evasi0n And Back Up Your Device

The first thing you'll need to do is download Evasi0n onto your computer. There are versions available for Mac OS X, Windows and Linux. Once it's downloaded, unpack it, install it and open it.

Before you do anything with Evasi0n, plug your iOS device into the computer via USB, and open iTunes so you can back it up.  When the device appears within iTunes, right-click it and choose "Back Up."  In iTunes, you have the option to back up to your local hard drive or iCloud. For the sake of speed, backing things up locally is probably the better option. Make sure the "Encrypt backup" checkbox is unchecked. 

If you've download apps directly to your device, you'll want to transfer those purchases to iTunes first. Go to File -> Devices -> Transfer Purchases from [whatever your device is called]. 

This way, when you restore the device, you won't lose anything. If any apps go missing, you can always restore them on the device later by going to the "Purchased" tab under "Updates" in the iTunes store. 

2. Back Up Your Photos And Videos

Backing up your device in iTunes does not include your photos and videos. Before proceeding with the jailbreak, import everything using iPhoto, Adobe Bridge or any other photo management software. If you don't back up the photos and videos on your device, you will lose them forever - and be sad.

3. Upgrade to iOS 6.1 (If You Haven't Already)  

If you haven't upgraded to iOS 6.1 yet, this is when you'll want to do so. Once everything is backed up, go to the device's "Summary" tab in iTunes and click the "Update" button under the iOS version number. 

Finally, if you use a passcode to lock your device, go into iOS's Settings and turn it off. It can apparently screw with the jailbreaking process. 

4. Launch Evasi0n And Jailbreak Your Device

 Once everything is backed up and updated, launch evasi0n. Take a deep breath. Click "Jailbreak." 

At this point, you might want to do some leisurely reading or get back to work, because the jailbreak itself may take 15-30 minutes to complete.  

After several minutes, evasi0n will ask you to go to wake up your iPad and tap the "Jailbreak" icon now installed on your home screen (alongside your existing apps). Do that. 

From there, evasi0n will inject the last of the jailbreak files onto your device and it will reboot itself. Unlike the older Absinthe A5 jailbreak, evasi0n will automatically restore your device from its backup, saving you the extra manual step. 

5. Getting Started With Cydia

Cydia is the jailbreak equivalent of Apple's App Store. At first glance, Cydia app store is not quite as polished as Apple's, but it doesn't take long to find your way around. 

You'll want to start by browsing through the "Featured" list and looking at the themes that are available. Cydia does a pretty good job of breaking things down into useful categories, and even provides a list of tools to start out with. 

There are a lot of apps, tweaks and design themes available in Cydia. It's worth taking the time to scroll through each list, check out the descriptions and screen shots, and start installing things you think would be useful for you. When I first jailbroke my iPhone 4, I started small by adding a fifth icon to the dock, enabling app-renaming, making Sparrow my default email client and adding a new theme. There are plenty of Siri-related tweaks, which you can find by searching "Siri" within Cydia. 

Other popular enhancements include additions to Notification Center, Wi-Fi tethering, game emulators and a variety of lock-screen modifications. Most tweaks and apps are free, but a handful of them cost a few bucks. The tethering and hotspot apps tend to run $10-$20, but price tags that large are otherwise pretty rare in Cydia.

The release of Evasi0n has been highly anticipated for owners of the iPhone 5 and fourth generation iPad, both of which shipped running iOS 6 by default. For others, the release means they can finally upgrade their devices to iOS 6 without losing the ability to download unauthorized apps and customize the look and feel of their iPhone, iPad or iPod Touch. 

High Jailbreak Demand

As is now standard for iOS jailbreaks, the launch of Evasi0n came with its fair share of technical difficulties. Demand is so high for jailbreaks that they tens to crash servers and cause performance issues on the hosting site - at least at first. In this case, the evaders team that developed it decided to use Google Sites, which apparently has a page view limit. After several failed attempts, I finally managed to get the .dmg file  to download. 

Although it probably felt like an eternity for iPhone 5 users, the release of the iOS 6 jailbreak arrived at roughly the same time as the Absinthe A5 jailbreak tool for iOS 5 last year. In December 2011, Pod2G released a jailbreak for iOS 5, but that didn't include the devices with A5 chips like the iPhone 4S and iPad 2. That tool arrived on January 20 of last year. So the new jailbreaking team was only slightly behind schedule with this one. 

The Evasi0n jailbreak was actually well underway as of last week, but the team didn't want to push it out prior to Apple's release of iOS 6.1, lest the company patch the exploits the team used to jailbreak. 

Why Jailbreak?

Jailbreaking isn't for everybody. While the process is relatively user friendly (so long as the directions are followed with caution and the device is backed up first), the experience is best suited for that subset of users who prefer to have the ability to customize their devices and download apps that wouldn't meet Apple's requirements for inclusion in the App Store. 

This includes things like like tethering your data connection to other devices and running classic video game emulators. For me, it's the little things. I like using Chrome as my default browser, renaming apps, customizing the design of my home screen and using Sparrow as my default mail client.  

To download the iOS 6 jailbreak, head over to evasi0n.com and select your operating system of choice. Depending on how overloaded the server is at the moment, be prepared to hit "refresh" more than a few times. 

This week in Santa Clara, Calif., Facebook's Open Compute Project held its very first hardware hackathon - a competition run in parallel to two days of talks and sessions tackling some of the tech industry's least sexy - but most foundational - challenges. 

(More from the Open Compute Summit: Facebook's "Group Hug" Frees The Microprocessor From The Motherboard.)

Operation Cheesy Fingers

The winning hack tackled server debugging - a notoriously analog process for anyone who's spent time in a datacenter. The team of four, including one Facebook mechanical engineer, crafted a way to aggregate the debug information from an entire rack and pipe it over the Web. "You could have someone managing a data center in Portland from Menlo Park," said Zak Homuch, one of the event's coordinators.

"The code name for this was 'Project Cheesy Fingers,' because the idea is that you should be able to run a datacenter by sitting in your recliner with a beer and cheetos," explains Andrew Cencini, a Bennington Computer Science Professor who led the software side of the hack. "The only reason you should get up from the chair and wipe the cheesy fingers off is if there's actually a problem."

From Hack To The Rack

The winning team gets a choice of having their design made into a prototype or being granted a provisional patent to protect their IP - Cencini's group chose the latter. The debug port hack, designed around Facebook's existing server hardware, could be a prototype with just a few more hours of work. Once prototyped, the design could be retrofitted to the company's existing servers painlessly, making the datacenters run more efficiently, all with just a handful of hours of crowdsourced collaboration.

Facebook And The Open Compute Project

The Open Compute Summit's hackathon had 100 entrants when it kicked off last Wednesday afternoon, though only about 40 saw the challenge through the full 12 hours. Other finalists included a chimney designed to pump heat away from the hardware and mesh that would create a 3D heat-model for a rack.

The Open Compute Project was conceived just 18 months ago by a small cluster of Facebook engineers. Steeped in the company's open source, hacker-friendly tradition, they wanted to pry the proprietary lid off of server and datacenter hardware, opening it up with the same collaborative gusto that thrives in the world of open source software.

Image by Taylor Hatmaker.

The tech industry is once again at a turning point. We've moved from a world of big monolithic applications to lightweight, contextual social and mobile apps. Apps, not applications. Apps in your pocket, connected to back-end services and data, with user context, and integrated into the social social graph.

Java and .NET developers represent the biggest pool of developers, but enterprise application-development practices too often have them stuck in the ‘90s. You wouldn’t use a phone from that era, yet enterprise developers are constantly asked to keep pace with today’s business using antiquated processes and technology.

Here are four tough questions enterprise developers should ask themselves when evaluating their IT culture, their own path to innovation and their own value in the field:

Question 1. What Am I Working With?

The Java stack is a huge collection of standards and class libraries, and then there are practical sets of tools Java developers use, like Eclipse, ANT and Maven. Visual Studio is the center of the .NET universe, but there are a huge set of classes, frameworks and SDKs to choose from.

But development practices have moved on. Being lightweight and agile is most important. You can’t innovate any other way. There's a huge productivity boon with the shift to modern frameworks like Rails, Django and Play, but most enterprise developers don't get to use them.

Sit back and look at the code you write over a week. Is it business logic? Does it add to the success of the business, and your career? Or are many, many lines of code simply going into boilerplate and plumbing? If you were going to write your own personal app, would you want your code to look like this?

1a. What You Should Be Doing

If the answer is that you would do something different for your own app, look for opportunities to introduce new frameworks into your organization. Start with a project that isn’t mission-critical. Demonstrate success and be the champion of change.

Question 2. How Often Do I Put Code Into Production?

The development world has moved from a planet of 12-month waterfall releases and deployment cycles to a galaxy of continuous delivery.

There is a bigger principle at work than just continuous integration and automated testing. It's rapidly and flexibly building apps that fit client needs and that deliver business results. Startups know smaller and less tightly coupled generally is better, and that lesson is important for enterprises, too..

2a. What You Should Be Doing

There are several takeaways here.

Read The Lean Startup by Eric Ries. Don't dismiss this as just a book about startups. It's about running projects with a relentless focus on testing for success or failure. You’ve got a browser open. Order it now.

In the meantime. analyze where you are as a professional in this evolution. Don’t be caught back with the old school.

If it’s in your power to choose, make sure your projects are leveraging small, agile teams of developers, designers and analysts. Don’t stop there, though. Bring in any department that can contribute.

Can you, for instance, push out small feature changes for rapid feedback? It’s better to err on nimbleness than on deliberate and top-down. Navigate to a point where you can craft a new feature in a matter of hours, then listen to the audience, revise and go live on the run.

Granted, you can’t upend the status quo singlehandedly. Ries offers some great pragmatic advice on how to accomplish change one project at a time. With your help, as soon as your company experiences the benefits of early and regular feedback on IT projects, it will begin to think of rapid development as an opportunity rather than a risk.

Question 3. Is My Organization A Laggard?

Your customer is the business’ end customer. Don’t forget that. Customers expect to be able to use the latest appropriate technology in dealing with the business, which means you need enough elbowroom to deliver that experience.

Give thought to the hoops you need to jump through to deliver innovation. Needlessly long processes and stultifying standards are the enemies of a healthy development culture. Legacy policies weren’t intended to limit innovation, but some do exactly that. Most policies were written before mobile apps, for example, existed. Challenge the conventional wisdom.

3a. What You Should Be Doing

Just to take that example, are you working on mobile apps? Are they social? Do they serve all of the major mobile operating systems? Enlist designers and user-experience experts to avoid developing to a detached, early-stage mission document.

Again, take small steps that meet organizational goals and market needs. Remember that you’ll have to do battle again, so back up successes. Show adoption. Show improvement. And most of all, show what changing your organization from a laggard to a leader can mean for your customer and the business.

Question 4. Do I Have A 2002 Or A 2012 Resume?

For the sake of argument, let’s say you work for a company that sees these ideas as heretical. You want to be first to realize that you don’t belong there.

Here’s an experiment: Picture your resume in your mind. Do you see a finely printed document in a serif font on bone-colored, textured paper? Yes? That’s a problem.

Your resume is a browser search. It’s your LinkedIn page. It’s probably your Facebook page (which should give a lot of people cold sweats).

Of course, you need the best paper resume money can buy, but that’s a formality. Your image begins forming with what you attach to your email or an employer’s careers tool, You can’t control every instance of when you pop up online, but where you can, you should. LinkedIn profiles (as should all resumes) tell the reader where you’re going, as well as where you’ve been. So tell that story.

4a. What You Should Be Doing

Make sure you are communicating your capabilities, such as using open-source tools, frameworks and libraries. Contributing to these projects.

Don't hire technical staff without some sort of footprint on Github. It signals that they are paying attention to the changes in the industry and keeping their skills sharp. It shows they work well with others, have great self-direction, and can rally around a shared purpose.

Github projects don't have meetings. They just do. I want to hire developers who do things, not those who sit in meetings.

Go beyond code confabs by getting involved in user groups. This says you passionately believe in something. As Fred Brooks, in The Mythical Man Month, relates, there's a huge productivity difference among developers. Those with great skills, who collaborate well with others, produce so many more quality features than those who don't.

Hire for passion. Passion makes game-changing apps.

Do you like what you see when you search your name? If yes, fantastic! Connect with me on LinkedIn, I’m always looking for developers like you.

If you don’t like what you see, find a project to get involved in. Pick up a new language like Ruby, or Node.js, or a new framework build using your current language skills. Contribute code. Connect with a local user group. Network, and just do. That’s what makes a great developer.

Summary

So that nets it out. I challenge you to sit back and think about these four questions. 

The biggest complaint from developers looking for opportunities to elevate their career is, “My company would never allow that.” More often than not, experience has shown me that the reason companies say "no" to change is because they don’t fully understand alternatives to status quo.

It’s up to you to present these alternatives, and do it in an intelligent way. What are you waiting for?

Image courtesy of Shutterstock.

Less than two weeks ago, David Petraeus was a decorated four-star army general (ret.), Director of the Central Intelligence Agency, and a husband of 38 years. Today, his reputation has been hit with a massive dose of shock and awe. 

Petraeus cheated and got caught, largely due to a lot of eyebrow-raising email activity from a man many would assume to know more about how to  cover his tracks. 

Here's how the Petraeus email fiasco unfolded, and some hints on better ways to conceal private email conversations, no matter what their purpose. 

Wrong Moves

The general created a fake Gmail account with a pseudonym to communicate with his lover and biographer Paula Broadwell. In order to communicate, Petraeus and Broadwell wrote messages to each other that they each dropped in a draft folder, to eliminate an email chain. This is called a "dead drop," and has been used by terrorists, including the guys behind the Madrid train bombing in 2004.

They both had access to the account, and would write and save draft messages for each other to read. While we don't know if the drafts were deleted after reading, or if the same draft was used over and over with old text deleted, we do know the basic pattern of this kind of interaction. Basically one person writes a note and logs off, then the other party logs on and reads the draft. This way no email is actually ever sent, and no email chain is created. In Gmail, draft messages are called conversations. Once these messages are "discarded," they are notoriously hard to recover. So, one of two things is likely in this scenario: Either they kept the draft conversations at the time that the FBI intercepted their communications, or the FBI worked with Google to retrieve the deleted drafts. 

Further mucking things up was the fact that Broadwell used a different Gmail account to send her threatening messages to Kelley. And both she and the General used the same Gmail account to share and write messages. So with all that, it would have been pretty easy for the FBI to lean on Google to reveal the IP addresses of the account in question, alerting the bureau of the location and numeric label of both the computers and networks behind the messages. (Note to all you cyber-lovers out there, the very outdated Electronic and Communications and Privacy Act states any content older than six months and stored in the cloud can be obtained by the government without a warrant.) 

Game. Set. Match.

What They Should Have Done

Remember, when trying to hide things from the FBI, no method is perfect, especially when they're already on your trail. The following tools are not 100% foolproof, but if employed early would have made for a much more convoluted game of cat and mouse, and might even have concealed the amorous activity long enough for the general and his fatal attraction to have escaped unscathed. 

 1. PGP Encryption: PGP stands for "pretty good privacy," and that's exactly what it is. The service encrypts data, like emails, which would have been another hurdle for the FBI to jump through. If this method would have been used, it would have forced Uncle Sam to deploy Trojan-style spyware onto Broadwell’s computer to uncover the emails. With Google snitching the General out, PGP might not have worked. For regular folks though, this tool is a good start. 

2. Hide Your IP: Tools like Tor, an open source method to conceal real IP addresses and Web browsing, would have masked their IP address identification. Another is Hamachi, an app that creates free, encrypted Virtual Private Networks (VPNs) between computers. Just use the VPN every time you log in, and don't log in from your home IP, and you should be safer. Well, unless you're LulzSec that is. 

3. Disposable Email: This message will self destruct after reading. Really. If the General really was 007, or even 007-ish, he would have used this method. Disposable email functions much like it sounds, with messages that are deleted after reading. Disposable email services include Spamex and Mailinator, which were originally designed to keep out spam, not the Feds. 

4. Don't Send Messages Online Period! Keep it offline! If this was 1972, short of the U.S. Postal Service intercepting their mail, this would have been the ideal method, and some inquisitive papparazzi snapping a photo would have been all they would have had to worry about. While the two did spend a good deal of time together in-person (Broadwell apparently traveled overseas to Iraq and Afghanistan to visit Petraeus), they might have been safer to keep the relationship in person only. The only truly private way to use email? Don't!

Besides, what's the best way to keep passion in a relationship? Charles M. Schulz said it best: "Absence makes the heart grow fonder."

Photo by hectorir.

Startups Attacking A Giant Market

Last week, I attended a Code for America demo day where seven startups, billed as the “inaugural class of the first-ever civic startup accelerator,” showed off their wares. The Code for America accelerator program hopes to disrupt the $170 billion government IT market, while providing new and improved services to U.S. citizens.

One of the startups, MindMixer, had already shown up on my radar. MindMixer helps local government and civic entities create instant online communities. The company has so far set up more than 250 organizations around the country.

MindMixer helps organizations collect ideas and perspectives and lets visitors vote on them, much the same way that I’m using Spigit to ideate solutions for America. One MindMixer community is ImproveSF, which is working to create a better San Francisco. Its “Design a New Library Card” challenge racked up 14,529 interactions.

Handwriting To Digital Isn't Easy

Another startup that drew much attention is Berkeley, Calif.-based Captricity. Co-Founder Kuang Chen reiterated how difficult it was to transform handwritten or other paper-based data into digital form.

Captricity uses real people for data entry but you do need either have a scanner or camera to upload text originals to the Web. The company currently has an offer you can’t refuse: the first 25 pages for new customers are digitized for free. It’s $0.20 per page after that.

As Code for America Director of Strategy and Communications Abhi Nemani tells me, “Captricity is one of the clearly compelling startups, it’s a problem we can all relate to.” The company already has received investments from Mitch Kapor’s Kapor Capital and others.

Social media startups were well represented by Measured Voice and Revelstone, both promising to improve civic engagement supported by analytics to track social engagement.

The Start Of Something Bigger?

Three other startups, Aunt Bertha, LeanSprout and Recovers are described on Code America’s site. As Nemani says, “This is the first accelerator class. The whole ecosystem needs to be built up, but this is the start of something bigger.”

I agree. Code for America has definitely struck the right tech chord. If you need more persuasive evidence that America needs to innovate, please see Kleiner Perkins Caufield & Byers General Partner Mary Meeker’s presentation “USA, Inc.” Key Points, which brilliantly articulates trends we should all be familiar with.

Code on.

The threat is so real that right or wrong, some security experts are publicly disclosing the weakest links to force action.

The Security Renegades

Leading the renegades is Dale Peterson, founder of Sunrise, Fla.-based Digital Bond, which specializes in monitor, control and alarm systems for industrial plants. Peterson runs Project Basecamp, in which researchers demonstrate the fragility of critical control systems.

Basecamp's latest target was Germany-based Smart Software Solutions, better known as 3S. Peterson's commandos found major vulnerabilities in 3S' CoDeSys, a software tool for programmable logic controllers (PLCs), which are computers that automate industrial tasks, such as operating valves. More than 250 ICS makers use CoDeSys.

The vulnerabilities would give access to the PLC upload code without an ID or password. That means a hacker would have full control of a controller. In exposing the weakness, Basecamp researchers also released exploit tools so 3S customers could test the vulnerabilities themselves.

Inadequate Response

The Department of Homeland Security responded with an alert that recommended manufacturers "take defensive measures to minimize the risk of exploitation of these vulnerabilities."

Tuesday, 3S confirmed the problem, saying, "We take this issue very seriously and are currently working on a solution."

At the same time, the company acknowledged that securing its products against cyber attacks was not its focus. "In general, we do not offer any standard tools in CoDeSys which are to protect the controller from a serious cyber attack."

That attitude is exactly why Peterson launched Basecamp, which he insisted discloses vulnerabilities already known to hackers and the manufacturers. His goal is to get vendors to stop making industrial control products that are "insecure by design" and to fix what is already in use. So far, his strategy hasn't worked.

"They complain and everyone says that it shouldn't be made public, yet we still don't see it getting corrected," Peterson said.

Was Stuxnet Not Warning Enough?

What can happen when hackers gain access to an industrial control system was demonstrated in Iran in 2010. A virus dubbed Stuxnet was unleashed in an Iranian nuclear facility, damaging centrifuges used to enrich uranium. The New York Times reported that the U.S. and Israeli governments developed the malware together.

3S is not the first company targeted by Basecamp. The research group disclosed in January vulnerabilities in widely used PLCs made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.

The researchers also have released exploit modules for some of the vulnerabilities in the popular Metasploit tool kit used by security experts and hackers.

Homeland Security does not support the work of groups like Basecamp. Marty Edwards, director of the department’s Control Systems Security Program, told Wired the agency "does not encourage the release of sensitive vulnerability information” until a solution is ready for distribution.

A 'Pre-9/11 Moment’

Partisan politics has prevented Congress from passing a cybersecurity bill to protect the nation from attacks on critical infrastructure. Lawmakers' inaction comes as the Obama administration warns that a strike can happen at anytime.

In a speech to a group of business leaders in New York this month, Defense Secretary Leon Panetta said the nation needed to heed the warning signs and bolster its cyber defenses to avoid another tragedy like the terrorist attack on Sept. 11, 2001. According to Panetta, the country is in a "pre-9/11 moment."

How far Congress will go to force manufacturers to secure industrial systems remains to be seen. Replacing or upgrading them would be expensive and companies would lobby hard against laws that would force them to make changes.

"We've been very disappointed in the Department of Homeland Security and the U.S. government," Peterson said. "They have not said out loud that these devices are vulnerable and need to be replaced." Peterson said he'll continue exposing security weaknesses.

His efforts are unlikely to produce much more than an occasional headline. Creating national cyber defenses requires forceful government action, private-public interaction and cooperation among companies and industries not seen since World War II. Let’s hope that happens before we're hit again.

Mom-and-pops often take fewer precautions, and when their customers also let down their guard, they all become easy prey. It might be more time-consuming to string together access to a lot of small businesses, but the prize – fat consumer financial accounts – is just as valuable as any stolen from big firms.

Security Polices Are Lacking

A recent survey of more than 1,000 businesses with less than 250 employees shows that nine in 10 have no formal policies guiding employees on how to avoid malicious sites that download malware. Commissioned by the National Cyber Security Alliance and Symantec, the poll also found that more than seven in 10 respondents have no guidelines for using Facebook, Twitter and other social media where cybercriminals will hijack accounts to distribute malicious links.

Privacy polices were also lacking. The survey found that 60% of the businesses had no guidelines for employees to follow regarding customer or employee information.

The Security Risks Are Obvious

Oddly, small-business owners understand the importance of Internet security.

Fully 73% said using the Internet safely was critical to their business, and 46% acknowledged it was very critical. In fact, nearly nine in 10 had one or more employees using the Internet for daily operations, with seven in 10 saying they were either somewhat or very dependent on the Internet for running their company.

Nevertheless, nearly 60% of the businesses had no contingency for handling a loss of customer or employee data, credit or debit numbers or intellectual property. Yet, nearly seven in 10 manage their own sites in-house, meaning if there's trouble, the small business is liable.

Size Doesn't Matter

So why the disconnect? Michael Kaiser, executive director of security alliance, said small businesses believe hackers are more interested in breaking into large companies that would seem to have much more valuable information.

"They may think their size protects them," Kaiser said.

What many small businesses don't realize is that hackers value information no matter the size of the company. They want names and passwords of employees' email accounts in order to identify customers and send them malware or links to malicious sites.

Small businesses “may not understand how the cybercriminal system works," he said. "A list of 200 customers may be incredibly valuable."

Of course, not all small businesses operate the same way. Those working with defense and financial firms are used to tighter security requirements, for example. More small businesses will have to upgrade to similar levels.

The Easy Pickings

Software powering electronic cash registers is a popular target. Last December, four Romanians were indicted in U.S. federal court for allegedly stealing credit-, debit- and gift-card numbers from the point-of-sale systems at 150 Subway restaurants and more than 50 other franchise and small retailers. The suspects were accused of charging millions of dollars to the accounts of 80,000 customers.

Chester Wisniewski, senior security adviser for anti-virus software vendor Sophos, said small businesses tend to fall behind in software updates that patch security flaws.

"A small business is a target that doesn't necessarily have any better security than my mom and dad," Wisniewski said.

Weak security by small businesses accounts for 90% of the payment data breaches reported to Visa. A study by Verizon found that nearly three-quarters of data breaches in 2011 involved businesses with fewer than 100 employees.

Share As Little Data As Possible

Put all the facts together and a person would be wise to share as little personal information as possible with a small business.

All business owners should consider the case of hotelier Wyndham Worldwide. It was sued this year by the Federal Trade Commission for failing to have adequate security to prevent the theft of payment card information of hundreds of thousands of customers.

There’s nothing to say a small firm can’t be victimized and then sued.

"I wouldn't store my credit card with anyone," Wisniewski said.

Many startups scramble to create a "minimum viable product," or MVP, to get a version of their product to market quickly for testing. It’s a great way to cost-effectively test a website or app with real users. But be careful, if your MVP is too minimalist, it could torpedo your company's future.

The issue is that an MVP is usually the customers’ first exposure to your product, and a bad first impression could have long-lasting consequences.

So don’t take the word “minimum” too literally. Your goal is not really to create a minimum product, but rather a high-quality but focused product that you can create and release quickly.

Know Your Users

When mapping out the functionality for an MVP, the first step is to understand your potential users.

Think of three people who might use your product and identify everything you know about them. What kind of car do they drive? Where did they go to school? What kind of phone do they have? And so on. The more you know about your users the better equipped you’ll be to determine the features they’ll want from your MVP.

Once you’ve worked out the essential feature set, build your MVP around that. Stay focused. Don’t waste time adding features for every potential user need and scenario.

Focus On The Alpha Hypothesis

Define your Alpha Hypothesis early and stay true to it. Don’t ever forget the core of what your product is and what makes it unique and desirable.

How do you define an Alpha Hypothesis? After you have defined your users’ needs, identify your business goals. Create a feature set where the two intersect. Don’t release an MVP until it includes all of those features.

Any startup should be able to articulate its competitive edge, and it’s essential that you include all of the functions that differentiate you from your competitors in the MVP, even if those functions are the most technically difficult to create.

When you allow real customers to use your MVP, you’ll be testing your Alpha Hypothesis, and you’ll be able to identify where you need to adjust the functionality to meet the needs of your market.

Set Your Sights High

If you’re aiming to create the next big thing, be prepared for the fact that you might just do it. Build your MVP to be scalable, so that it can handle large traffic numbers and complex functionality in a capable manner. This will avoid the need to rebuild the site from scratch if your traffic or the user needs become too great for the current setup to handle.

How do you make your MVP scalable? By utilizing Web technologies that will easily grow with your product.

For example, rapid application development tools and frameworks have made it easier and faster to prototype, create and scale web software. A lot of successful startups have used Web frameworks such as Django (Python), Rails (Ruby) and Cake (PHP), as well as emerging Javascript and mobile frameworks. To speed the development process, automate as much as possible and standardize the codebase to simplify the ramp up of new developers.

Infrastructure has also been evolving to allow lower cost, a lower barrier to entry and instant scalability. Cloud computing, cloud storage and NoSQL all allow startups to pay only for the data storage they are using at the moment, but still be able to quickly scale up resources as needed.

So don’t think of your MVP as a minimum product, but as a focused product. Then get it to market and be prepared to scale for when your product gets traction towards becoming the next billion-dollar company.

The new law calls for two years in prison or fines of up to 2 million yen, or about $26,000, for unauthorized downloading. While this activity has been illegal since 2010, Japan has not previously enforced the restrictions, according to BBC News. 

If the country enforces the new rule aggressively, there could be serious consequences for a society that is the second largest music market in the world behind the United States. The Recording Industry Association of Japan claims that only 10% of Japan's downloads are legal. In 2010, a study by that organization reported 4.36 billion illegal files were downloaded. That amounts to billions of ripped and pirated songs, and possibly millions of offenders ripe for prosecution. And YouTube is theoretically illegal now, because every time an unauthorized clip plays, the viewer's computer stores a temporary file in its hard drive cache.

Japan's law, called "neighboring rights," is intended to protect intellectual property. Secondary fees for content recreation (such as burning and sharing music) are allowed if the copyright holder is compensated. 

The Japan Federation of Bar Associations, a legal professional group, tried in vain to make the matter a civil rather than criminal issue, calling it a "property damage issue." But with pressure from Sony and other major companies, the argument failed to sway lawmakers. Neither did protests in July from groups of Japanese in Anonymous masks. 

Japan is the latest nation to crack down on illegal downloads, following the U.S. hits on Megaupload and Demonoid last month. But with such harsh penalties, and the long reaching implications for a nation that has historically downloaded more unauthorized files more than any but America, will this work? And can the government possibly enforce a law that is likely to effect so many?

Photo by Philippe Put

McKinnon is facing a Oct. 16 extradition hearing to the United States and, if convicted in a subsequent trial, he could face 70 years in prison for allegedly hacking into sensitive government systems on this side of the Atlantic.

Between February 2001 and March 2002, the self-style "Solo" allegedly hacked into 97 U.S. military and NASA computers, reportedly to find evidence of free-energy and UFO coverups. 

U.S. authorities claim he shut down the 2,000-computer network at the U.S. Army's District of Washington for 24 hours, taunting the government with a post on a military site: "Your security sucks".

While McKinnon admitted to hacking, he disputed that his work caused significant damage. In various interviews, McKinnon has characterized himself as a cannabis-smoking, "bumbling computer nerd" who the United States is trying to make an example of. 

Need-To-Know Basis

In 2005, McKinnon was told by the U.K. government to check in to his local police station every night and was banned from using a computer with Internet access. Around that time, the U.S. government sought his extradition, and he's been fighting it ever since, mostly citing health concerns. 

McKinnon's lawyers are hoping that their client's condition -- they say he has Asperger's Syndrome -- is enough to block his extradition. Lawyer Karen Todner says she's ready to take the case all the way to the High Court (Britain's equivalent of the Supreme Court). Some autism experts have warned of the risk that the 46 year-old McKinnon could commit suicide if convicted. 

Scottish police image courtesy Shutterstock. Image of McKinnon courtesy of Wikipedia Commons.

Bringing new and creative people into a business is a difficult task, so some agencies are using social media and games to draw in exactly what they need.

What's the best way to attract creative interns? A advertising firm in the Netherlands used the game "Draw Something" to bring in artistic interns by getting them to… draw something. Potential interns got onto Muse Amsterdam's radar by downloading the game and logging on to play with "Drawsome intern." It played out like a regular game, but instead of earning points, players with the most interesting drawings got an opportunity to interview for an internship.

Lourens Keers, Strategist at Muse Amsterdam explained the choice to use the game in an e-mail saying, "The people who use DrawSomething are not per se the talented people that we would like to work with, yet it is used by people that are into mobile applications. We're looking for creatives with interest for innovative media, so that's a match." 

This brings to light different ways agencies are trying to find exactly the kind of talent they want in their business. And it's not just ad agencies that are doing this, Keers pointed out that the British intelligence agency, GCHQ has also used technology recently to bring in new applicants. GCHQ made news last year by running an anonymous campaign that offered computer hackers the opportunity to get an interview by breaking a code. Typically, agencies like this get applicants straight from college, but with the increase in self-taught hackers, there was new a pool of talent to choose from. They used social media, Twitter and blogs to redirect potential hackers to a site and crack their code. Doing so (legally and ethically) redirected the user to a site with information on cybersecurity career opportunities within the agency. 

Closer to home, Mountain View programming startup Interviewstreet hosted a coding challenge called CodeSprint earlier this year. Participants were given the chance to solve real-world coding challenges over a two-day period to earn points and a possible interview with one of the 65 participating tech companies. Companies ranged from Facebook to Dropbox. 

The technological age is changing how a business finds new employees. As long as it looks like they're thinking outside of the box and not like they are desperate for young blood, it could boost a company's image.  It also doesn't hurt if your method of finding new employees is different and interesting enough to get a couple of news outlets to cover it...

Photo by allibean.

To find the best way to integrate core technical skills into a start up, we asked eight successful young entrepreneurs from the Young Entrepreneur Council (YEC) whether startups need tech-oriented founders.

1. How Innovative Is Your Technology?

If you want to start a tech company, you must understand the space. You don’t need to be a developer, but at minimum you need to have the background to know what traits a superstar developer has. It also depends on how innovative your technology is - if you’re using existing platforms and delivery methods, you can definitely hire out a great team to run your company. But if the tech itself is what you’re innovating, you need to understand what is happening inside your business. - Laura Roeder, LKR

2. You Need To Know Tech Basics

I really believe that what’s most important for a founder is the ability to have a vision for the company, make sales and hire well. That being said, when you’re in the startup phase, you need to be able to get stuff done – and that means you need to at least have some basic tech skills. It will also help you to hire better, and understand what’s possible and what’s not possible in terms of technology. - Nathalie Lussier, Nathalie Lussier Media

3. Tech Knowledge Is Cost-Effective

I may be biased - as I am a graphic designer with programming, Web and marketing skills - but to me it is highly important that a founder have some tech skills. We use technology in every business, from online sales and shipping to mobile Web. Being able to change your website on the fly based off a new analytic has been key in growing our online business. Understanding how to harness social media and being up to speed with the newest trending platforms allows us to be everywhere. This being done in-house means more revenue stays with us, compared to hiring a firm or paying a employee who requires training and possible review process, slowing down the speed of business and still adding a layer of time effort to the management team. - Jerry Piscitelli, Portopong LLC

4. You Need Basics, Hire For The Rest 

There’s a big difference between not knowing intense coding and not knowing anything at all about the space. For a founder to be able to navigate the industry, it’s important that he/she knows enough about trends in the industry and has a basic understanding of tech. One of the worst things I’ve seen are very non-technical VC’s teaming up and opening tech companies. Sometimes their idea for a company has already been done and not worked, but the founders don’t know that because they haven’t been in the field long enough. - Caitlin McCabe, Real Bullets Branding

5. Tech Skills Help, But Aren’t Necessary

As an Internet entrepreneur, tech skills are certainly helpful (at the very least so you know when you’re paying a fair fee when outsourcing), but they’re most definitely not necessary. I started TheBeautyBean.com barely knowing what WordPress was, let alone how to run a website. Sure, I’ve made mistakes (likely more with regard to technology than a founder with tech skills would have), but founders can’t be good at everything – and I make fewer mistakes in other areas. All entrepreneurs have to outsource parts of their businesses in order to use their skills most effectively. For me, that means outsourcing tech. And so far it’s worked quite well. Knowing your weaknesses is far more essential than not having any. - Alexis Wolfer, The Beauty Bean

6. Buy It, Share It, Or Be It 

If you are unable to build your own tech product, you only have three options: 1. Pay a company to build your product, which could cost $80,000 to $100,000 for an initial app and website, and even more as you add features and improve your product in response to customer feedback. 2. Give up equity in your company. Software programmers are in extremely high demand - you’re competing with Facebook, Google and thousands of other startups. Very early-stage startups may have to give up as much as 30% of their company to bring on a rockstar programmer. 3. Learn to build the product yourself. This is the most time-consuming option, but is often the best. By doing so, you could save capital and equity, and at the very least, adopt the skill set to better oversee options #1 and #2. - Doug Bend, Bend Law Group, PC

7. Communication Skills Are Even More Important

I was a sociology major in college. When I started my social network, I didn’t have any tech skills. What I did have, however, was a lot of passion for my idea and the ability to communicate the vision that I wanted to create. What I’ve found is that you don’t necessarily need to have tech skill yourself, but you do need to be able to clearly communicate your vision to others, to excite them to join you in your journey. - Eric Bahn, Beat The GMAT

8. Develop Tech Skills As You Grow

I’ve learned most of my tech skills on the job. Currently, I’m teaching myself to program in Python. I’ve been in business for years and I’m always picking up a new skill set. You don’t need too much in the way of tech skills right out of the gate. You’ll learn a lot out of sheer self-defense as you go along, especially if you need to judge the work of technical hires or sell a technical product. That said, being an entrepreneur is easier if you’ve got at least some of the skills that you’ll need to execute your idea in place before you start. - Thursday Bram, Hyper Modern Consulting

The Young Entrepreneur Council (YEC) is an invite-only nonprofit organization comprised of the world’s most promising young entrepreneurs. The YEC recently published #FixYoungAmerica: How to Rebuild Our Economy and Put Young Americans Back to Work (for Good), a book of 30+ proven solutions to help end youth unemployment.

Guest author Jason van Zyl is the founder of the Apache Maven project, the Plexus IoC framework and the Apache Velocity project and helped establish Codehaus, an incubation facility for open-source community projects. He currently serves on the board of the Eclipse Foundation and is CTO of Sonatype.

For most of its history, software has been written – applications consisted primarily of custom-developed code and internally developed components with only a small fraction of code sourced from outside the organization. During the past ten years the widespread use of cloud- based infrastructures and the rise of open-source technologies have heavily influenced the software development landscape with start-ups and established organizations demanding increased flexibility and improved time to value.

As a result, modern software development has become increasingly component-based, where applications are assembled from existing components rather than written from scratch and the vast majority of components are sourced from outside the organization. In most cases externally sourced components are open source. In fact, more than 80% of a typical Java application is assembled from existing open-source components and frameworks.

The GitHub Effect

Just how popular collaborative, open-source development has become was made clear with the historic $100 million investment by Andreessen-Horowitz in GitHub, the code sharing and social networking site for programmers.

Developers are turning to forges like GitHub at an accelerated rate and with good reason. It’s easy to use, the cost is nominal and it provides an invaluable service – version control for community-driven projects and the simplification of contribution management.

GitHub, and other repositories like it, democratize open-source development and help young projects grow. But once source-code graduates and becomes binary code ready for mass adoption, project teams distribute their finished products via the Central Repository – a free, openly available, cloud-based repository where developers distribute their software to millions of users globally. The Central Repository, which is operated by Sonatype, has become the industry’s primary source for open-source artifacts, housing more than 400,000 components, servicing more than 7.5 billion requests per year to 60,000 organizations worldwide, including more than half of the Global 2,000.

Complex New Risks

While development teams have embraced agile software development processes – rapid, continuous and collaborative – the shifting software development landscape has also introduced new risks and requirements. Applications can be composed of hundreds of components sourced from myriad open-source projects and these components can in turn, depend on other components, known as transitive dependencies. This creates an enormously complex supply chain, where a single application may contain components originally published by dozens of individual projects.  Whether provided by commercial vendors or open-source initiatives, components can introduce significant management, security and licensing challenges. Recent analysis by Aspect Security using data from the Central Repository uncovered widespread security vulnerabilities among the most commonly used open-source components.

Component flaws may pose substantial business and technical risks to an organization, including security breaches and intellectual property claims as well as application stability and performance defects. Few organizations, let alone cash-strapped start-ups, have the proper controls in place to mitigate the risks posed by flawed components.

A complicating factor is the the double-edged sword of open-source innovation. On the one hand, open-source projects evolve and release frequently (the average component is updated four times per year) enabling users to reap the benefits of rapid innovation and bug fixes. On the other hand, the ecoystem lacks an effective update awareness mechanism, making it very difficult to keep up with projects and manage change – especially for large enterprises that consumes thousands of components each month.

Component Lifecycle Management

To firmly establishing both control and visibility across today’s complex and agile software supply chain, organizations young and old should take the following steps toward Component Lifecycle Management (CLM) – the practice of proactively managing the use of components throughout the supply chain.

Step 1: Inventory – Gather information about your current component usage

• Tack component downloads and usage to understand consumption.
• Inventory internal component repositories to determine what is being distributed to development teams.
• Understand the software supply chain to determine which components and dependencies are being introduced to the organization.

Step 2: Analyze – Understand vulnerabilities in applications and repositories

• Analyze key applications to uncover known security vulnerabilities.
• Analyze internal component repositories to discover vulnerable components.

Step 3: Control – Establish controls throughout the development lifecycle

• Establish policies regarding security, the use of viral licenses and out-of-date or out-of-version components.
• Eliminate or blacklist known vulnerable components in internal repositories.
• Establish mechanisms to prevent known flawed components from entering the organization.
• Implement controls in build and continuous integration (CI) systems to prevent inclusion of flawed components in software builds.

Step 4: Monitor – Maintain awareness of component updates

• Maintain an inventory of all components and dependencies used in production applications.
• Continuously monitor application bill-of-materials for updates and newly discovered vulnerabilities.

Properly managing the use of open-source components throughout the software development lifecycle will let organizations focus not merely on the cost savings it can bring, but also on the wealth of innovation. The component revolution is upon us.

Are you ready?

Genentech/Roche

How do you grow your internal mobile app portfolio to 112 different apps over time? Paul Lanzi, the mobile apps team manager for Genetech/Roche, likes to give his apps cute names, such as "Peeps" for the corporate personnel directory and "Kudos" for employee rewards.

Lanzi set out to make the company's knowledge workers the best mobile-equipped workforce in biotech. Genentech/Roche currently supports more than 13,000 iPads, 10,000 iPhones and 18,000 Blackberries. Half of its users have more than 55 apps, and some have more than 300 apps on their devices. The company took a long-term view towards creating a solid application infrastructure that could be reused, which is why it has so many internal apps. It used a mixture of custom code and commercially available apps to provide access to existing SharePoint and SAP back-end systems that were already in popular use.

Eli Lily

Lilly, another big pharma company, wanted to meet the needs of a mobile salesforce that is present in 125 different countries. It chose more commercial apps, and focused on "simple apps that do one thing, and do it well," said Tom Nienhaus, part of the company's mobility team. "We were trying to provide Web access to various enterprise data platforms to our iOS users," he said. Lilly's architecture relies more on Apple's security and data protection APIs, as you can see in the architecture diagram below.

Northern Trust Bank

Northern Trust's client managers -- the people who work with very wealthy individuals - wanted to be able to bring a client's portfolio and review what actions the bank should take with a client's investments. They wanted to do this on the iPad, no matter where their clients were located. "We frequently have our managers get on private aircraft or yachts with our clients, and needed an app that would work under those circumstances, regardless of connectivity and Internet access," said Chris Price, one of the bank's vice presidents and a system architect. The bank designed an iPad app for this disconnected situation from the start.

Each of the three companies had to make a variety of decisions in building their apps. For example, they had to choose whether to code a native iOS app or not, what middleware and APIs to use, how to implement the various security requirements and what kind of internal app store to use to deploy their app. Adding up all these factors means handling lots of different pieces of technology.

"We typically build Web-centric apps because they are easier and quicker than native iOS apps, but in this circumstance we wanted the iOS app to make it more secure, particularly when it was in online mode," said Northern's Price. The bank was worried about various Web-based attacks like cross-site scripting and SQL injection that could compromise their data. Also, the native app could be made more efficient with its use of local storage.

Enterprise iPad Lessons Learned

All three companies shared some key lessons they learned from rolling out corporate iPad apps:

• Get the first app right. Genentech's first app was a SalesForce.com add-on that took close to eight months to develop because of all the various infrastructure pieces, including security, middleware gateways, authentication and identity management. But once all this was in place, the company's second app took much less time. "Indeed, we were able to leverage 80% the non SalesForce-related Web services that we built for the first app," said Lanzi.
• Know your middleware. Northern Trust Bbank and Eli Lilly both employed middleware from Layer 7. Both wrote some additional custom middleware code to work with their back-end systems. Genentech also used a commercial middleware solution.
• Plan for the worst case security scenario, especially when your users are roaming all over the world on untrusted networks. All three companies worked to make sure that even if an iPad was lost or stolen, none of its data would be compromised.
• Invest in your user experience design. There is a difference between interface design and user experience, and make sure your developers know how to distinguish the two. Lanzi mentioned Genentech's early experience with an "On the Road" app as an example of what not to do.
• Foster inter-department code sharing. Lanzi spoke about "fostering" the coding that was already developed for Genentech apps so that others in the organization could more readily build their own mobile apps. "Even if I could scale my team to three times its current size, I still could not meet the demand of all the mobile apps that my users want me to build." He put in place a series of common code libraries for his iOS native apps for functions such as jailbreak detection, identity management and authentication, and gave these out to all of the company's internal developers. Genentech is working on common HTML5 libraries and other Web services too.

Your company may not have as many internally developed apps as Genentech does, but your apps will be better from following its principles. "We have no tolerance for bad apps around here," said Lanzi.

Lead image courtesy of Shutterstock.

Girls Who Code is working to close the tech gender gap by teaching girls 13 to 17 the skills they need for a career in technology. Its first program is this summer, eight weeks of 8-hour sessions in New York City where 20 girls are learning everything from coding to pitching a business plan to investors.

Program founder Reshma Saujani, an unsuccessful 2010 candidate for Congress and former deputy public advocate for New York City, says she started Girls Who Code not only to educate girls but to inspire them to believe that they can indeed pursue a career in technology.

It’s Still A Man’s World

Getting started is one thing. Inspiring them to stick with it could be more difficult. Consider Silicon Valley, circa 2012. Marissa Mayer notwithstanding, it’s a sort of parallel universe, fueled by testosterone and 5-Hour Energy drinks, where young male programmers freshly empowered by the te ch boom revel unselfconsciously in a high-fiving culture of chips and beer.

It’s a place where breasty booth babes are still a must at gadget shows. Where recruiters invite guys to parties with hot tubs full of naked women. Where accelerator grads include slides of bikini-clad chicks in their pitch-day presentations - because they can. And where a company called Sqoot holds an API hackathon with a list of “great perks” that includes massages, a live DJ and “Women: Need another beer? Let one of our friendly (female) event staff get that for you.”

Serious Support For Girls

Girls Who Code has funding from a range of corporate sponsors, including GE, Google, eBay and Twitter (it’s Twitter’s first philanthropic investment). Every contributor not only writes a check but also hosts a field trip, donates equipment or sends a speaker. Among those on tap this session are Jack Dorsey of Square, GE chief marketing officer Beth Comstock and Gilt Groupe founder Alexis Maybank.

“These companies don’t just want to close the technology gap because it’s the right thing to do for the country but because it’s the right thing to do for their business,” Saujani says. “They understand they can’t out-innovate unless they have the people who are using their products actually making their products.”

She points out that while women use the Internet 17% more than men do and create two-thirds of the content at social media sites, they earn only 14% of computer science degrees.

“At age 13 or 14 there is something that happens that makes girls think coding or engineering is not for them. Part of our mission is pushing girls to go into these technical fields and overcome their aversion to risk.”

And to jobs that invite them to “bro down and crush code.” It’s a noble mission but it won’t be easy.

Images courtesy of Girls Who Code.